Even if Speier's bill passes, though, her fight could be for naught. Across the country, on Capitol Hill, Congress is holding hearings on whether -- and if so, how -- to update the Fair Credit Reporting Act (FCRA), the country's first and most important federal privacy law. One of the most contentious questions is whether Congress will extend a complex 1996 amendment that preempts the right of states to pass seven types of consumer-protection laws -- including those that regulate sharing of financial information.
CLAIMS AND COUNTERCLAIMS. So far, dozens of consumer and privacy advocates, economists, and corporate executives have testified in the House and Senate. But because it's complex stuff, you probably haven't read much about it in the papers. I've been keeping an eye on the testimony. And here's how it breaks down: Consumer advocates and state attorneys general say the credit industry is a mess when it comes to protecting consumer data -- and that states should have the right to pass laws to protect their citizens. Industry lobbyists champion the status quo and warn that any change will disable the "miracle of instant credit" that underpins the American economy.
Letting states create their own laws on financial privacy would no doubt lead to more contention at a number of levels -- including the courts. Yet the industry's argument that instant credit is in danger seems like nonsense to me. There's hardly any evidence -- at least, none anyone has presented so far -- that giving states a chance to strengthen their privacy laws will undermine the U.S. credit system. Rather, most studies show that in states with stricter privacy laws, the system is fairer -- and more useful. As for the status quo, well, it isn't without its pitfalls. A few examples:
The number of identity-theft complaints has skyrocketed every year for the last three years. In 2002, alone, consumers reported 162,000 incidents of identity theft to the Federal Trade Commission, which administers the FCRA. That's double the 86,000 reported in 2001.
Insurers and others are now allowed to use credit scores to hike rates on auto and other types of insurance (see BW Online, 4/15/02, "How Fair is Fair Isaac?").
Consumers now face a Kafkaesque nightmare when they try to correct errors in their credit reports, since no one, not the corporation collecting the data nor the credit bureau that aggregates it, faces serious consequences for getting it wrong (see BW Online, 8/29/02, "Who's Policing the Credit Cops?").
STATES' RIGHTS. "The situation is dire," argues Ed Mierzwinski, program director at consumer-advocacy outfit U.S. Public Interest Research Group, who helped me put together this list. "That's why defending the FCRA and states' rights are the highest priority for the state attorneys general and the consumer and privacy communities." On Dec. 7, the National Association of Attorneys General universally adopted a resolution asking Congress to let the FCRA preemption expire.
The financial-services industry has a different take. "The economy is national. Forty-two million Americans move every year. Six million Americans have second or vacation homes, many in a different state," says John Ford, chief privacy officer for credit-rating agency Equifax (EQX
). "If preemption lapses and state laws proliferate, determining which state laws apply in the event of a conflict would be difficult, if not impossible...resulting in higher costs for consumers."
As I said, that would be bad. Yet studies show that disparate state laws don't impede the "miracle of instant credit." In testimony a month ago before a House subcommittee on financial institutions and consumer credit, Fordham University law professor Joel Reidenberg demonstrated that lenders make better credit decisions in California, Massachusetts, and Vermont -- states that have stringent protective credit laws that were "grandfathered" in under the 1996 preemption. Vermont has the lowest incidence of consumer bankruptcy in the nation. Massachusetts ranks next, and California is below the national median, with a rank of 27.
Auto-loan rates are also low in two of these states: Again, Vermont is lowest in the nation, and Massachusetts ranks 24th -- just above the national average. California ranks 31st. While it's impossible to prove that these states' privacy laws are responsible for the low rates, it's also clear the laws have no ill effect on residents' access to credit.
VOLUNTARY ACTION? Strong state laws can also help protect the wider population. This spring, Visa announced that it would "voluntarily" truncate credit-card numbers on receipts in an effort to stop card fraud. It makes for a nice press release, but Visa's decision was hardly pioneering. In 2001, California and Washington, among other states, had already enacted laws that required credit-card companies to do just that. Now that Visa is in compliance with those state laws, privacy advocates are optimistic that Congress will enact a national law requiring other credit-card outfits to do the same.
Industry executives retort that letting states set de facto standards is putting the cart before the horse. Congress spent seven years debating the 1996 amendments, they say, and the logic still stands. "We feel the test results are in," says Stuart Pratt, president and CEO of the Consumer Data Industry Assn., which represents credit- and mortgage-reporting agencies. "The time has come to make preemption permanent."
Consumers -- fearful of rising identity theft and, on occasion, furious with rampant information-sharing -- might disagree. As the U.S. becomes increasingly dependent on credit, it's imperative to hold the financial industry to the highest standards. And as U.S. PIRG's Mierzwinski points out, Congress seldom enacts strong consumer laws until after a big scandal -- or a threat of action by the states. "Remember, even Enron wasn't enough to guarantee corporate reform. It also took WorldCom," he says.
That's reason enough, if anyone is listening, to give Jackie Speier and other state legislators a chance. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column